In recent years, ISPs (Internet Service Provider) have been interconnected with each other through an IX (interconnection point) for enabling communication between the ISPs over the Internet. In the network using such an IX, there is a problem of DDoS (Distributed Denial of Service) attack, in which a large amount of packets are transmitted to the ISPs to increase a load of the ISPs, thereby hindering ISP services. An IDS (Intrusion Detection System) is an example of an intrusion detection system for monitoring unauthorized intrusion or attack against the Internet or in-company network. The IDS monitors and analyzes packets flowing over the network and refers to a database of attack methods called signature (signature database) to automatically detect unauthorized intrusion or attack. The signature is a database that stores therein characteristics of data contained in a header and a payload of a traffic as a pattern of a known unauthorized access, and the information within the database is updated each time a new attack method is found.
The large amount of traffics is one characteristic of the DDoS attack. Thus, the IX enters a high-load state if a confirmation is made as to whether each traffic and a signature match each other for all the traffics reaching the IX.
A conventional DDoS attack detection system has detected a DDoS attack not by monitoring signatures but by monitoring the amount of traffics. In monitoring the amount of traffics, a value obtained by summing the amounts of traffics for each protocol or for each destination IP (Internet Protocol) address is also monitored while the total amount of traffics is monitored. The DDoS attack detection system needs only the amount of traffics, and all the contents of the entire traffics flowing over the network do not need to be monitored. Therefore, by receiving only traffic statistics information from a switch or router forming the network to be monitored, the amount of traffics can be efficiently monitored. A commercially available switch or router employs sFlow or netflow as a traffic statistics information output form (refer to Non-patent Documents 1 and 2).
The DDoS attack that disables a server has the characteristic in which traffics toward a target server rapidly increase. Thus, it is effective to identify a destination IP address for detecting an abnormal traffic. For example, a packet processing method described in Patent Document 1 observes the amount of traffics for each previously-registered destination IP address.
Non-patent Document 1: Network Working Group Request for Comments: 3176 Category: Informational “InMon Corporation's sFlow: A Method for Monitoring Traffic in Switched and Routed Networks” [online] P. Phaal, S. Panchen, N. McKee, InMon Corp. September 2001 [searched on Sep. 4, 2007], Internet <URL: http://www.ietf.org/rfc/rfc3176.txt>
Non-patent Document 2: Network Working Group Request for comments: 3954 Category: Informational “Cisco Systems NetFlow Services Export Version 9” [online] B. Claise, Ed. Cisco Systems October 2004 [searched on September 4, 2007], Internet <URL: http://www/ietf.org/rfc/rfc3594.txt>
Patent Document 1: Japanese Patent Application Laid-Open No. 2003-283548